The following section is to help the admin with their VMware Workspace ONE environment. To address the unique circumstances of the use cases, this article provides practical information in greater detail to help the admin in planning VMware Workspace ONE Unified Endpoint Management (UEM) management solution.
Modern methods to deploy, control, and manage an organization’s PC fleet are some of the features introduced by Workspace ONE UEM Powered by AirWatch, including capabilities for Windows 10.
Traditionally, to manage the PC life cycle, including separate tools for staging and imaging, for managing OS updates, for maintaining drivers, for configuring the firewall, antivirus, and encryption policies, and more, multiple administrative tools were used by enterprises. In contrast, within a single administrative console, Workspace ONE UEM unifies enterprise mobility management.
To counter the security and data concerns of today’s digital workspace, the launch of Windows 10 brought fundamental changes to the Windows operating system , . The admin can fold the Windows 10 functionality into an existing VMware management solution to take advantage of Workspace ONE UEM capabilities. Combining modern enterprise management capabilities with traditional client requirements creates a simplified, cost-effective management solution.
Basic principles of Windows 10 Endpoint Onboarding
Assess the device posture to establish user trust, and enable data loss prevention, with Workspace ONE UEM.
Establishing User Trust
New identity features are used by Workspace ONE UEM to establish user trust. These features require an enrolled, managed, and compliant device to meet two forms of authentication called two-factor authentication.
The device must be onboarded to fulfil the first half of two-factor authentication, a procedure of onboarding devices into Workspace ONE UEM for management in the Workspace ONE UEM Console (the Console).
Users with Microsoft Azure AD can utilize Windows Hello capabilities like PIN authentication and biometric access for the second authentication factor. Workspace ONE UEM can allow or disable the biometric feature for end users’ devices and enforces the PIN strength requirements.
A layered authentication model for added security is provided by providing certificate authentication (or another authentication type) into the apps and corporate resources. For biometric authentication Workspace ONE UEM also integrates with Windows Hello .
Assessing Device Posture
By locally enforcing, evaluating, and remediating devices using the compliance engine, a Workspace ONE UEM tool Workspace ONE UEM assesses device posture that ensures that all devices abide by specified policies. Basic security settings or more critical security customizations may be included in a policy.
Non-compliant devices are detected by the compliance engine, and end-users are sent a warning. No further action is taken if the end-user addresses the issue after the warning. If the end-user does not comply to correct the issue in the specified time frame, it escalates, and disciplinary actions occur.
To specify the grace periods, escalation steps, disciplinary actions, and messages, use the Workspace ONE UEM Console. With each security action, end user’s non-response escalates the risk level .
Preventing Data Loss
Maximize native Windows Information Protection capabilities through Modern Windows 10 management with Workspace ONE UEM to help minimize the risk of data loss. Windows Information Protection can be used to define:
- Privileged applications
- Protection levels
- Enterprise boundaries
- Application access
All corporate data is encrypted at the file level by Windows Information Protection, and only when accessed by a privileged application, the data is decrypted. Remove all corporate data from the device through the enterprise wipe.
Note: Device-level operation is only available on Windows Information Protection. Windows Information Protection cannot guarantee data protection if data is transferred to a file share or cloud repository. With a rights management service (RMS), shared data is integrated instead.
Windows 10 can also install device apps that were not deployed through Workspace ONE UEM Mobile Device Management In addition to delivering managed applications to devices through enrollment, into a managed state when the admin designates them as privileged applications.
To manage personal and corporate data on privileged applications, the updated Windows 10 SDK allows application developers to create enlightened apps. For all options, administrators can configure a policy that prohibits an application from sharing corporate data to a personal app, site, or repository.
Windows 10 applications are prevented from Gaining unauthorized access to internal or public endpoints by Per-App VPN prevents. Which ports, IP addresses, and IP protocols Windows 10 applications can access are defined by its client-side micro-segmentation capabilities.
To simplify per-app VPN configurations, the admin can also use privileged applications. One or both of the following options can be used depending on the needs of the organization:
- A unique VPN configuration for every privileged application.
- The same VPN configuration for all privileged applications.
To recognise and encrypt work data downloaded to a device Specified IP ranges or domains are used by Enterprise boundaries on Windows 10. The downloaded files can be opened only with a privileged application and are encrypted. For example, Data downloaded from sharepoint.air-watch.com can only be accessed by the privileged applications on that device if the domain air-watch.com is specified as a protected network.
To counter organizational demands and device use cases, the admin can configure varying levels of protection for user groups. Protection levels are:
- Block – Only privileged applications can access Corporate data.
- Override – A warning prompt appears if a user tries to access corporate data with a non-privileged application. The action is recorded in an audit log, although a user can choose to complete the action.
- Audit – With a non-privileged application, a user can access corporate data, but the action is logged in an audit log.
- Off – Disable the Windows Information Protection
Onboard Windows 10 Desktop Enrollment Methods
By configuring the Windows Auto-Discovery Services (WADS) in enterprise Workspace ONE UEM environment, simplify end-user enrollments. An on-premises solution and cloud-based WADS are supported.
The native MDM functionality of one of the following: the Windows operating system, Azure AD integration, or Workspace ONE Intelligent Hub for Windows is used by Azure AD integration.
If the admin wants to manage Windows devices managed by SCCM with Workspace ONE UEM, the VMware AirWatch SCCM Integration Client must be downloaded. To onboard SCCM-managed devices into Workspace ONE UEM, use this client.
- Workspace ONE Intelligent Hub for Windows Enrollment
For Windows to enroll devices Workspace ONE Intelligent Hub is the simplest enrollment workflow. From getwsone.com, End users simply download Workspace ONE Intelligent Hub and follow the prompts to enroll.
For the Windows Enrollment workflow, Workspace ONE Intelligent Hub can be used. Additional enrollment flows meeting specific use cases are supported by Workspace ONE UEM.
- Azure AD Integration Enrollment
Windows devices automatically enrolls into Workspace ONE UEM through integration with Microsoft Azure Active Directory, with minimal end-user interaction. For both end-users and admins, Azure AD integration enrollment simplifies enrollment. Three different enrollment flows are supported by Azure AD integration enrollment.: Out of Box Experience enrollment, Office 365 enrollment and Join Azure AD. Customizing Azure AD integration with Workspace ONE UEM is required under all methods.
- The admin must configure Workspace ONE UEM and Azure AD before the admin can enroll endpoint devices using Azure AD integration.
- Native MDM Enrollment:
Using the native MDM enrollment workflow Workspace, ONE UEM supports enrolling Windows Desktop devices. Depending on the version of Windows, the name of the native MDM solution varies. This enrollment flow changes depending on the version of Windows, and if the admin uses WADS.
Only users can enroll a device into Workspace ONE UEM and enable MDM who have local admin permissions on the device.
- Device Staging
Consider using Windows Desktop device staging if the admin wants to customize device management on a Windows 10 device before sending it to the end-user. The admin can enroll a device through Workspace ONE Intelligent Hub, install device-level profiles, and then ship the device to end-users with this enrollment workflow. Manual installation and command-line installation are the two methods of device staging are. Devices are required to be domain-joined to an Azure AD integration in manual installation. For all Windows 10 devices, Command-line installation works.
- Windows Desktop Auto-Enrollment:
The auto-enrollment of specific Windows Desktop devices is supported by Workspace ONE UEM, which are purchased from Dell. By automatically onboarding registered devices following the Out-of-Box-Experience Auto-enrollment, the enrollment process is simplified with the correct Windows 10 image Select Dell Enterprise devices only enjoy Windows 10 Provisioning Service by VMware. As part of the order from Dell, the auto-enrollment functionality must be purchased.
- Bulk Provisioning and Enrollment:
A pre-configured package that stages Windows 10 devices is created by Bulk provisioning and enrolls them into Workspace ONE UEM. Bulk provisioning requires installing the Imaging and Configuration Designer tool and downloading the Microsoft Assessment and Development Kit. The provisioning packages used for image devices are created by this tool.
The admin can include Workspace ONE UEM settings in the provisioning package with the bulk provisioning workflow so that provisioned devices automatically enroll during the initial Out of Box Experience.
- Registered Mode – Enroll Without Device Management
To enable some Windows devices to onboard into Workspace ONE UEM without device management services, the admin can allow Registered Mode. To the whole organization group or with smart groups, assign this model.
Configuring Cloud Windows 10 Auto Discover Service
Native MDM Enrollment for Windows Desktop
The Work Access native MDM Client is used by all Windows Desktop enrollment methods. To enroll both corporate-owned and BYOD devices, use the native MDM enrollment through the same enrollment flow. With or without Windows, Auto-Discovery can be used to enroll devices.
For domains linked to Office 365 or Azure AD, Work Access first processes an Azure AD workflow when the admin selects Connect and does not automatically complete the enrollment workflow. To enroll Windows 10 devices Consider using the Workspace ONE Intelligent Hub if the admin uses Azure AD or Office 365 without a premium license instead of native MDM enrollment. Select Connect twice to complete the enrollment workflow using native MDM enrollment. The admin can enable Require Management in the Azure instance if the enterprise has an Azure AD Premium license to have native MDM enrollment complete the enrollment flow after the Azure workflow. If the admin does not use Office 365 or Azure AD, they can use native MDM enrollment without issue.
A device can be enrolled into Workspace ONE UEM and enable MDM only for users who have local admin permissions on the device. For enrolling a device, Domain Admin permissions do not work. Use Bulk Provisioning for Windows 10 devices to enroll a device with a standard user.
Simplify enrollment for your end-user by using the Windows Auto-Discovery Service and reducing the necessary interaction during enrollment.
Using the native Workplace enrollment devices joined to a domain can enroll. Auto-populate the email address entered in the settings with the Active Directory UPN attribute. Download the optional update if the end-user wants to use a different email address
Enroll Through Work Access With Windows Auto-Discovery
For Windows 10 devices, Work Access is the native MDM enrollment method. Using Windows Auto-Discovery and enrolling through Work Access provides a quick and easy enrollment flow for end users.
Remove the need to provide the Group ID during enrollment is removed by registering the domain in Workspace ONE UEM.
Note: Consider To enroll your Windows 10 devices, consider using the Workspace ONE Intelligent Hub for Windows instead of using native MDM enrollment. If the enterprise uses Office 365 or Azure AD on the same domain, the native MDM enrollment flow does not onboard devices into MDM.
- On the device, navigate to Settings, go to Accounts, click on Work Access and select Enroll into the device.
- In the Email text box, enter the user name provided to your end-user, followed by the structure Username@domain.com (such as email@example.com) in the domain for the environment. Click on Continue.
- The Group ID is provided, and click on Next.
- The username and password are provided, and click on Next. These credentials may be dedicated credentials specific to your Workspace ONE UEM environment or directory services credentials.
- Optional: Click on Yes to save sign-in info
Result: The device then attempts to connect to Workspace ONE UEM, a briefcase icon displays with Workspace ONE UEM has written next to it, if it connects successfully. Successful connection to Workspace ONE UEM is shown by this icon.
Without Windows Auto-Discovery Enroll Through Work Access
For Windows 10 devices, Work Access is the native MDM enrollment method. End-user credentials have to be entered manually for enrolling through Work Access without WADS.
For Windows to enroll, the Windows 10 devices consider using the Workspace ONE Intelligent Hub instead of using native MDM enrollment. If an enterprise uses Office 365 or Azure AD on the same domain, the native MDM enrollment flow does not onboard devices into MDM.
- On the device, navigate to Settings, go to Accounts, click on Work Access and then select Enroll into the device.
- The user name the admin provided to the end-user is provided into the Email text box, followed by the format Username@domain.com (such as firstname.lastname@example.org) in the domain for the environment.
- The server address is provided as follows: <DeviceServicesURL>/DeviceServices/Discovery.aws. ‘https://’ is not included in the URL. For instance: ds156.awmdm.com/deviceservices/discovery.aws.
- Click on Continue.
- The Group ID is provided, and click on Next.
- Username and password are entered, and click on Next. These credentials may be dedicated credentials specific to the Workspace ONE UEM environment or enterprise directory services credentials,
- Optional: To save sign-in info, click on yes.
Results: The device then tries to connect to Workspace ONE UEM. a briefcase icon displays with Workspace ONE UEM has written next to it if it connects successfully. Successful connection to Workspace ONE UEM is shown by this icon.
Workspace ONE UEM and Azure AD Integration
Automatically enroll Windows 10 devices into Workspace ONE UEM through integration with Microsoft Azure Active Directory, with minimal end-user interaction.
The admin must configure Workspace ONE UEM and Azure AD before enrolling the devices using Azure AD Integration. The configuration requires Workspace ONE UEM deployments to facilitate communication and entering information into the Azure AD.
Three different enrollment flows are supported by Azure AD integration enrollment: Join Azure AD, Out of Box Experience enrollment, and Office 365 enrollment. Customizing Azure AD integration with Workspace ONE UEM is required by all methods.
Important: Enrollment through Azure AD integration requires Azure Active Directory Premium License and Windows 10.
To utilize Azure AD as an Identity Service configure Workspace ONE UEM.
Customize Workspace ONE UEM to use Azure AD as an Identity Service Before the admin can use Azure AD to enroll the Windows devices, enable Azure AD, which is a two-step process. which needs the MDM-enrollment details to be added to Azure.
To integrate Workspace ONE UEM with Azure AD, the enterprise must have a Premium Azure AD P1 or P2 subscription. Workspace ONE UEM with Azure AD integration must be configured at the tenant where Active Directory (such as LDAP) is configured.
Important: The LDAP settings must be configured and saved before enabling Azure AD for Identity Services if the admin is setting the Current Setting to Override on the Directory Services system settings page.
- Go to Groups & Settings, navigate to All Settings, go to System, click on Enterprise Integration, and select Directory Services.
- With the Microsoft account or organizational account, sign in to the Azure Management Portal.
- Go to the Mobility (MDM and MAM) tab and select the directory.
- Click on Add Application, go to the AirWatch by VMware application, and click on Add.
- To modify the MDM user scope to All, select the AirWatch by VMware app that the admin added.
- By choosing Add Application, navigating to the On-Premises MDM application, and then clicking Add an on-premises app.
- Configure the on-premises MDM application by selecting the On-Premises MDM application again. Select a group of users and set the MDM user scope to All or Some.
- The Workspace ONE UEM console URLs are entered into the On-Premises MDM application, and the settings are saved.
- From the Workspace ONE, the UEM console pastes the MDM Enrollment URL into the MDM discovery URL text box in Azure.
- Select On-premises MDM application settings and then click on Expose an API.
- Provide your Device Services URL in the Application ID URI text box and select Edit for Application ID URI and. The settings are saved.
- Assign and select premium licenses in Azure.
- Navigate to Azure Active Directory, go to Licenses and click on All Products in the Microsoft Azure console. The proper license in the list is selected.
- Click on Assign, select the users or groups for the license, and click on Assign.
- Copy the primary domain and Directory ID to enter into the Workspace ONE UEM console.
- Go to the Properties tab and navigate the Azure Directory ID, and copy it.
- The Name that is listed is copied as the primary domain and select Custom domain names.
- Select Use Azure AD for Identity Services after returning to the Workspace ONE UEM console and configure Azure AD Integration.
- The directory ID is provided to the admin copied to the Directory ID text box.
- The primary domain is provided with the admin copied in the Tenant Name text box.
- The process is finished by clicking on Save.
Enroll a Device with Azure AD
To onboard a device into the correct organization group, enroll devices with Azure AD integration in Workspace ONE UEM automatically. Devices enrolled through Azure AD all users on the device join the domain, meaning join completely.
For devices not already onboarded to Azure AD, this enrollment flow is implemented.
- On the Windows 10 device, navigate to Settings, go to Accounts, click on Access Work or School. Click on Continue.
- Provide the Email Address. Click on Next.
- Make sure that the Workspace ONE UEM welcome page is shown. Click on Continue.
- To confirm that the admin wants to enroll, click on Join in Workspace ONE UEM.
- To complete joining the device, click Finish in Workspace ONE UEM. The applicable policies and profiles are now downloaded by the device.
Onboard an Azure AD Managed Device into Workspace ONE UEM
A different enrollment flow is used than devices enrolling through Azure AD integration for devices that are joined to Azure AD. To onboard a device that is already joined to Azure AD into Workspace ONE UEM, use this enrollment flow.
- Windows 10 OS build 14393.82 and higher.
- .On the device Azure AD account is configured
- Under your Azure AD management portal, no MDM applications are installed.
- KB update KB3176934 installed
- Go to Settings, navigate to Accounts, go to Access work or school and click on Enroll only in device management on the device. The Workspace ONE Intelligent Hub can be used to enroll for Windows.
- The enrollment process is completed. With a different domain than the Azure AD account, enter an email address.
- Refer Enroll Through Work Access With Windows Auto-Discovery if the admin is using Windows Auto-Discovery.
- Refer Enroll Through Work Access Without Windows Auto-Discovery, if the admin is not using Windows Auto-Discovery.
- An Azure AD account is ensured and a Workspace ONE UEM MDM account added and go to Settings, navigate to Accounts, click on Access work or school.
Enroll Through Office 365 Apps
If the admin uses Office 365 and Azure AD integration, the first time the end-users open an Office 365 app, they can enroll their devices.
- The first time the admin opens an Office 365 application, navigate to Add a Work Account.
- The Email Address and Password are provided. Click on Sign In.
- Ensure that the welcome page in Workspace ONE UEM is displayed. Click on Continue.
- To confirm that the admin wants to enroll in Workspace ONE UEM, select Join.
- To complete onboarding your device to Workspace ONE UEM, select Finish. The applicable policies and profiles are now downloaded by the device.
Enroll Through Out of Box Experience
As part of the initial setup procedure and configuration of a Windows 10 device, a device is automatically enrolled by Out of Box Experience (OOBE) into the correct organization group.
Important: The Enterprise Wipe is not supported by the OOBE enrollment flow because the connection to Azure AD has been broken, users cannot log into the device. Before sending an Enterprise Wipe, the admin must create a local admin account. Otherwise, they get locked out of the device and forced to reset the device.
On end-user devices, the OOBE process can take some time to complete. For the install status, consider enabling the progress display. End users know where they are in the process by this display. Go to Groups & Settings, navigate to All Settings, go to General, click on Enrollment and select Optional Prompt. The admin must enable the Track Profile Status during the OOBE Provisioning option to display the status of profiles during enrollment in the General profile settings.
- Follow the steps and Power on the device to configure Windows until the admin reaches the Choose how you’ll connect screen.
- Navigate to Join Azure AD. Click on Continue.
- Azure AD/Workspace ONE UEM email addresses are provided as the Work or school account.
- The Password is provided. Click on Sign In.
- It is ensured that the Welcome to AirWatch screen is shown. Click on Continue.
- Provide the Asset Number if applicable and Select the Device Ownership type. Click on Next.
- Click on Join to confirm that the admin wants to enroll in Workspace ONE UEM.
- To complete joining the device to Workspace ONE UEM, click on Finish. The applicable policies and profiles are now downloaded by the device.